Mitigating the Risk of Encryption Ransomware

With ransomware attacks growing in both number and sophistication, organizations need a solid,
multi-layer defense strategy that helps them block attacks and quickly discover any infections in
progress, so they can limit the impact on data and operations. A solid file backup and recovery
process is of top importance among these measures.

See how Netwrix Auditor helps you reduce the damage from crypto-ransomware

Control user privileges

Most
encryption ransomware can encrypt only the data that the user who activated the
payload has permissions to access. Therefore, limiting each user's access rights to that user's role in
keeping with the least privilege principle is a solid strategy for narrowing ransomware's ability to
cripple your files. Netwrix Auditor enables effective control over user
account permissions by reporting
on all of the following:

Excessive Access Permissions

See who has 'full control' access permissions for shares and folders that they access infrequently. Removing excessive permissions to access sensitive and critical data limits the power of ransomware. You can also review Stale Data report to discover which data is not being actively used, and either move that data to a protected archive or encrypt it.

See who has 'full control' access permissions for shares and folders that they access infrequently. Removing excessive permissions to access sensitive and critical data limits the power of ransomware. You can also review Stale Data report to discover which data is not being actively used, and either move that data to a protected archive or encrypt it.

Account Permissions

Verify the appropriateness of user access rights by reviewing each user's assigned permissions to files and folders against HR employee listings and employee job descriptions.

Verify the appropriateness of user access rights by reviewing each user's assigned permissions to files and folders against HR employee listings and employee job descriptions.

Object Permissions

See what account permissions are associated with particular critical files and shares and how those permissions were assigned to users – directly or through group membership.

See what account permissions are associated with particular critical files and shares and how those permissions were assigned to users – directly or through group membership.

Permission Changes

Enable control over privilege escalation by reviewing detailed information about all changes to file, folder and share permissions.

Enable control over privilege escalation by reviewing detailed information about all changes to file, folder and share permissions.

Security Group Membership Changes

Detect improper delegation of access rights by reviewing detailed information about all changes to security group membership.

Detect improper delegation of access rights by reviewing detailed information about all changes to security group membership.

See who has 'full control' access permissions for shares and folders that they access infrequently. Removing excessive permissions to access sensitive and critical data limits the power of ransomware. You can also review Stale Data report to discover which data is not being actively used, and either move that data to a protected archive or encrypt it.

Detect improper delegation of access rights by reviewing detailed information about all changes to security group membership.

Control Group Policy that
regulates applications running

Encryption
ransomware can have any file extension, including .bat, .msi or .exe. Blocking the typical ransomware
extensions in your Software Restriction Policy is a good security measure that helps you prevent malware
from running. Netwrix Auditor keeps you informed about any removals of file extensions from the policy
list. It also reports about all registry key changes that
might indicate ransomware attempting to enable the autorun service.

Software restriction policy

Review the Software Restriction Policy Changes report to learn about any changes to
the list of restricted file extensions. Review other predefined Group Policy change reports to
control any improper additions into your application whitelists.

Registry key changes

Use the Interactive Search feature to control additions to the Windows registry
startup keys, paying particular attention to the Run key settings. If ransomware has already changed
these settings, Netwrix Auditor will show you the path to its execution file, facilitating the
removal and remediation process.

Registry key changes

Use the Interactive Search feature to control additions to the Windows registry
startup keys, paying particular attention to the Run key settings. If ransomware has already changed
these settings, Netwrix Auditor will show you the path to its execution file, facilitating the
removal and remediation process.

Detect anomalies in user activity

When crypto-ransomware manages to avoid detection by
antimalware solutions and starts running, time is critical to limiting the scope of the damage. The
earlier you can figure out that something is happening to your data, the sooner you can contain the
situation and the less data you will lose. Netwrix Auditor audits all user activity on your file servers
and enables timely detection of anomalies that may indicate ransomware on the loose.

User activity summary

Review the User Activity Summary report to detect suspiciously high numbers of file
reads, failed read attempts, file changes and file deletions, any of which can be indicative of
crypto-ransomware in operation. The report also shows you the user account whose access rights were
used to encrypt your data.

Threshold-based alerts

Enable an early warning system and detect a ransomware attack in progress using
threshold-based alerts that will keep you aware of any anomalous file activity on your servers. You
can choose from a list of predefined alerts or use the flexible criteria to specify your own pattern
of behavior that you consider risky.

Threshold-based alerts

Enable an early warning system and detect a ransomware attack in progress using
threshold-based alerts that will keep you aware of any anomalous file activity on your servers. You
can choose from a list of predefined alerts or use the flexible criteria to specify your own pattern
of behavior that you consider risky.

Optimize the data recovery process

Recovering
from a crypto-ransomware attack usually requires
restoring data from a backup kept isolated from your network. Netwrix Auditor helps you identify the
affected files to enable a faster, more efficient granular restore.

All file server activity

Review the All File Server Activity report to see detailed information on which files
were accessed, changed or deleted on your file servers during a certain time period and under which
user account those changes were made.

Deleted files and folders

Use the Files and Folders Deleted report to see a complete list of files and folders
that were deleted by the ransomware.

Deleted files and folders

Use the Files and Folders Deleted report to see a complete list of files and folders
that were deleted by the ransomware.